Ensure all company computers are equipped with up-to-date antivirus protection software.

Risk Control

Is your company keeping information secure? Are you taking steps to protect sensitive information? Safeguarding sensitive data in your files and on your computers is just plain good business. After all, if that information falls into the wrong hands, it can lead to fraud or identity theft. A sound data security plan is built on five key principles:

Take stock. Know the nature and scope of the sensitive information contained in your files and on your computers.

Scale down. Keep only what you need for your business.

Lock it.Protect the information in your care.

Pitch it.Properly dispose of what you no longer need.

Plan ahead.Create a plan to respond to security incidents.

The following information is provided by the Federal Trade Commission, Bureau of Consumer Protection.

Take Stock

Know the nature and scope of the sensitive information contained in your files and on your computers.

Take inventory of all file storage and electronic equipment. Where does your company store sensitive data?

Talk with your employees and outside service providers to determine who sends sensitive information to your business, and how it is sent.

Consider all of the methods with which you collect sensitive information from customers, and what kind of information you collect.

Review where you keep the information you collect, and who has access to it.

Scale Down

Keep only what you need for your business.

Use Social Security numbers only for required and lawful purposes. Don’t use SSNs as employee identifiers or customer locators.

Keep customer credit card information only if you have a business need for it.

Review the forms you use to gather data — like credit applications and fill-in-the-blank web screens for potential customers — and revise them to eliminate requests for information you don’t need.

Truncate the account information on any electronically printed credit and debit card receipts that you give your customers. You may include no more than the last five digits of the card number, and you must delete the card’s expiration date.

Develop a written records retention policy, especially if you must keep information for business reasons or to comply with the law.

Lock It

Protect the information that you keep.

Put documents and other materials containing sensitive information in a locked room or file cabinet.

Remind employees to put files away, log off their computers, and lock their file cabinets and office doors at the end of the day.

Implement appropriate access controls for your building.

Encrypt sensitive information if you must send it over public networks.

Regularly run up-to-date anti-virus and anti-spyware programs on individual computers.

Create security policies for laptops used both within your office, and while traveling.

Use a firewall to protect your computers and your network.

Set “access controls” to allow only trusted employees with a legitimate business need to access the network.

Monitor incoming Internet traffic for signs of security breaches.

Check references and do background checks before hiring employees who will have access to sensitive data.

Create procedures to ensure workers who leave your organization no longer have access to sensitive information.

Educate employees about how to avoid phishing and phone pretexting scams.

Pitch It

Properly dispose of what you no longer need.

Create and implement information disposal practices.

Dispose of paper records by shredding, burning, or pulverizing them.

Defeat “dumpster divers” by encouraging your staff to separate the information that is safe to trash from sensitive data that needs to be discarded with care.

Make shredders available throughout the workplace, including next to the photocopier.

Use a “wipe” utility programs when disposing of old computers and portable storage devices.

Give business travelers and employees who work from home a list of procedures for disposing of sensitive documents, old computers, and portable devices.

Plan Ahead

Create a plan for responding to security incidents.

Create a plan to respond to security incidents, and designate a response team led by a senior staff person(s).

Draft contingency plans for how your business will respond to different kinds of security incidents. Some threats may come out of left field; others — a lost laptop or a hack attack, to name just two — are unfortunate, but foreseeable.

Investigate security incidents immediately.

Create a list of who to notify — inside or outside your organization — in the event of a security breach.

Immediately disconnect a compromised computer from the internet.

Be Aware of CATO Fraud

Corporate Account Take Over is a growing form of electronic crime where thieves typically use some form of malware, or malicious software, to obtain login credentials to corporate online banking accounts, and fraudulently transfer funds from the accounts. Another means fraudsters commonly employee is phishing, masquerading as a trustworthy entity in an electronic communication or through social engineering to gain access to your sensitive information.

These attacks can result in substantial monetary loss for your company that, often, cannot be recovered. As a bank, we do everything we can to keep your money safe. Unfortunately, our security practices can only go so far to protect your accounts from corporate account takeover. There are some vulnerabilities that can only be addressed from the company side and therefore require that the business implement sound practices with their staff, systems and offices.

HOW DOES CATO FRAUD HAPPEN?

CATO attacks do not target the security systems or computers of the financial institutions; instead these attacks seek to find customers that have the ability to initiate funds transfers from bank accounts using their computers. The goal is to obtain the customer’s access codes, (user name and password), without the customer’s knowledge so they will continue to be active and the crook can perform financial transactions impersonating the customer. A common way this is done is to get the customer/user to click on a link in an email, website or pop-up that installs a malware program on the customer’s computer. The malware will secretly record the customer’s activity and use a “key-logger” to record the user names and passwords as they are entered when logging into a banking site. This information is either retrieved by the fraudster using a remote connection opened by the malware or sent to their computer for them to use remotely. They may also compromise the email accounts of the user to send transfer requests from the customer/users email account. Other computer information is also stolen such as security cookies or other information to allow the fraudster to logon to the bank’s system to make everything appear to look like they are the actual user.

In some cases, the fraudster may use “social engineering” as the way the get this information. To do this, the fraudster may place a call, send an email or make a personal visit to the office and claim to be from the bank or another trusted source and requests the information as part of a trouble-shooting effort. Many times it is done with an email that claims the user must update their account information or confirm a password due to a problem or security alert that appears to be from a financial institution.

Once the fraudster has the customer/user’s banking credentials (login and password), they will logon to the banking sites and create transfers normally using the ACH or Wire Transfer features to steal funds from the accounts tied to the credentials. These methods are the primary ones selected because they can send large amounts of money and the funds are immediately available for withdrawal when received or on the next day. The money may go straight to the fraudster, but more often it will go to a person that has been recruited to receive and immediately forward the funds to the crooks. The “money-mule” will typically not know they are part of a fraud and responded to an employment, or other advertisement on the web that promised they can keep a handling fee. This trick keeps the fraudster’s identity and location out of the transaction. Once the money has been withdrawn, recovery is nearly impossible due to the banking rules.

After the discovery of the fraudulent transactions, the business and bank will need to work together to try to recover funds. In most cases, there will be an amount that cannot be recovered and represent a loss to either the customer or financial institution. There are currently no clear rules on who will suffer the loss in these situations. Many losses have been settled on a case-by-case basis depending on the entity that had its security responsibility breached by the compromise. In cases where a company fails to use any of the recommended security procedures offered by the bank or has lax internal security and controls, they have often been held to absorb all or a portion of the liability for the loss.

SOUND BUSINESS PRACTICES THAT CAN HELP PREVENT CATO LOSSES

We have outlined some ideas on areas or tools that can be used to thwart fraudsters that want to attack your business or staff. Although even if every suggestion or recommendation is adopted by the business; a potential for a user’s account to be compromised will be present. The bank is constantly working to add other security measures on our side to proactively detect suspicious activity or perform other security reviews and out-of-band confirmations prior to allowing the completion of a funds transfer. Here are some security measures we urge you to take to safeguard your business from fraud.

EDUCATION & INTERNET RISK AWARENESS

The battle begins with creating a work environment where the staff is aware of the threats posed by using the internet and how it is a doorway into the computer network of the company. Sharing this document can help educate your employees about cybercrimes and other means fraudsters may attempt to steal access to the company’s accounts.

It is everyone’s job to help keep the computer systems secure from outsiders. Even a laptop or home computer that has remote access to the network can allow hackers access if the user’s PC is compromised and has sufficient network rights. Below are some tips that should be shared with the staff:

Think! Responding to any call or email, first ask yourself, “Does this email or phone call make sense?”

Deny! Never provide your user ID and password to anybody.

Distrust! Do not trust ANY email, internet site, link or caller unless you know for sure it is legitimate

Conduct Training Sessions and Stay Current: Hold staff training about the risks and keep up with news articles or fraud awareness updates.

Link Avoidance. Never click on a link in an email or internet site unless you know for sure it is legitimate

Download Avoidance. Never approve anything to be loaded on your computer that was downloaded from an email or website unless you specifically went to a trusted site or made the request. (When in doubt, don’t allow it!)

Monitor and reconcile accounts daily. Make sure employees know how and to whom to report suspicious activity at your company and the bank.

Take advantage of security options offered by the bank. Consult with your bank to determine what security settings and options may help minimize your risk and have them activated.

Don’t wait. Notify your manager or IT department if you suspect anything is unusual us right away.

COMPUTER SECURITY

Protecting computers and internal networks from unauthorized access is a challenge where the security plan will differ at each business or customer due to their specific computing needs and structure. Layers of security systems and access rights generally will offer greater protection, but every business should develop and implement a security plan that is designed to prevent and mitigate the risk of CATO. Some of the common elements of a security plan would include many of the items listed below.

Network Protection Tools. These items are used to block unauthorized traffic from entering the internal network, checking for virus/malware and reporting suspicious activity.

Firewall Blocks unauthorized traffic

Security Suites with Anti-Virus Program Identifies potentially malicious programs and quarantines or automatically removes them from the system and set the scans to update and run daily.

Isolated Banking Computer. Sometimes it may be possible to limit a PC to only conduct banking activity and not allowing it connections for general web browsing, email and social networking to reduce the threat of being infected.

Screensavers: This will lock unattended computers and require a password to unlock it.

Network Rights: Services, directories, programs and access is controlled to limit a user to only be able to perform tasks or access data that they have a business need to use.

CD Drives & USB Drives (or Thumbdrives) Deactivations: Disable drives to prevent any program or files to be uploaded or downloaded from the network or PC to these removable data media.

Website, Application & Pop-Up Blocking. The firewall or activity monitoring system can be sent to block sites or applications that may represent a greater risk for malware or fraud.

Secure Email. If confidential information is sent using email, there are systems that can encrypt the message so it can only be read by the intended recipient.

Penetration Test and Vulnerability Scans. In some cases, a business may have an external consultant test the security of their systems for possible vulnerabilities from the outside or internal workstations.

Laptops & Remote Access Security. Insure that any PC or device that can access the internal network uses a secure connection. Company laptops may consider encrypting the data drives if confidential information is present.

A key element of the security procedures is the reviewing of activity on your accounts to help detect any unusual, unauthorized or suspicious as soon as possible. Statistics show that customers will discover fraud before the bank in over 60% of the cases. Here are some tips on how to help secure your accounts.

Review Daily Activity. Check the account transactions that post on a daily basis to look for anything that is not authorized. . If you used Quicken or QuickBooks, consider downloading transactions daily to keep your accounting records up-to-date and quickly identify anything unusual.

Reconcile: Balance the accounts at least monthly and report any errors or unauthorized entries promptly

Limit Access: Only allow staff with a need to access or initiate transactions rights to the account. (Review the staff list and access rights occasionally to make sure they are set properly.)

Alerts. Enroll in alerts (text and/or emails) to be sent to the appropriate staff for any activity that may represent a greater risk, such as debit cards, ACH originations, Wire transfers, external transfers, maintenance changes or significant balance changes.

Record Security. Shred old statements, checks or other confidential records with account numbers and access information. Consider e-Statements and e-Notices to minimize paper record or mail theft.

USER SECURITY

A key element of the security procedures is the reviewing of activity on your accounts to help detect any unusual, unauthorized or suspicious as soon as possible. Statistics show that customers will discover fraud before the bank in over 60% of the cases. Here are some tips on how to help secure your accounts.

Limit Administrative Rights. Do not use the administrator user credentials for performing day-today processing.

Never Share User IDs/Passwords. Issue separate IDs for every staff member and make sure the staff does not share or post the password where others can view or use it.

Multi-factor Authentication Logins. Use a bank that employs systems that use multiple ways to confirm the user’s id or authorization.

Use Dual Control. For monetary transactions, require two different users to complete the transaction. One would create the transaction and a different user will be required to approve it before it can be processed.

Enroll in Alerts. Sign up for transaction, debit cards, maintenance and balance alerts to be sent whenever there is activity on the account or user.

Use Out-Of-Band Security methods. Where possible, use an out-of-band method to confirm financial transactions initiated over an electronic channel. (Out-Of-Band means that a confirmation is performed using a different method from how the transaction was creates. For example, if a computer was used to create a transaction via an Internet Banking site, a cell phone call would be place to the user to confirm they submitted the transaction.)

Keep Contact Information Current. This is important if the bank needs to contact the user to confirm any suspicious transaction. The cell phone number is very important.

Require good passwords and changes. This is a basic security recommendation for any user.

Limit Account Access and Right Reviews. Only give rights that the user needs to perform their duties.

DETECTION and RESPONSE

Time is money! Nowhere is this truer than with a CATO attack because the sooner the fraud is detected and reported, the greater chance to stop future losses and potentially recover funds that may have been taken. The steps listed in the prior sections will enhance the security procedures that should help stop or detect suspicious of unauthorized activity quickly.

If you suspect or identify an unauthorized transaction has been attempted or completed, NOTIFY US IMMEDIATELY! We prefer a telephone call to at (325) 247-5741 and ask for an ACH Origination personnel, and they will gather information, block user access and get our fraud department engaged. If you feel your PC has been compromised, turn it off or disconnect from the Internet immediately to block further access by the hacker. We will work with your staff to monitor your accounts and determine the source of the security breach. We do have additional resources that are available if you find yourself in this situation and we will provide them upon request.

TAKE THE TEST – FRAUD AWARENESS SELF-ASSESSMENT

Southern Bank is concerned about your privacy and security regarding your confidential financial information. This worksheet is provided as a tool to evaluate the risks and security issues related to certain activities or behaviors in your daily life. All the answers should be “Yes,” and any “No” answers indicate that you may be at a greater risk for an attempted or successful fraud attack. If you have any questions about the security of your accounts at the bank, please contact any of our customer service representatives.

Self-Audit Questionnaire for Fraud Awareness:

Yes No

□ □ Your computers have anti-virus, spyware and malware protection software that is updated regularly with scheduled scans performed at least on a weekly basis. Your operating systems and web-browsers are also updated with the latest patches, and you have activated your personal firewall. [If No, install and update these critical software tools regularly from legitimate sources.]

□ □ When using social media, you do not include personal information such as your physical address, phone number or date of birth including the year. Additionally, you do not list any additional confidential information such as the city where you were born, your mother’s maiden name, or Social Security Number on websites or comments. [If No, remove this information from your profiles or comments.]

□ □ You use different passwords for your various banking sites which do not include easily guessable words or identifiable traits such as your birthday, name of a family member, or pet. Your passwords are not less than 5 characters and at least 2 of the characters are a number, special symbol and/or Capital letter. [If No, change your passwords. We recommend that you change them every 90 days.]

□ □ When using email, you never include confidential information about your financial accounts or other information that could provide access to your banking accounts. This would include your account numbers, bank name, login IDs, passwords and other confidential information. You do not click on links in emails unless you are sure they are from a legitimate or trusted source. [If No, stop including this information – email is insecure and can be intercepted.]

□ □ When discarding statements or other documents that contain confidential information, you always shred the document or obliterate the information that is confidential. This information typically is the account number, name, address, bank or other identifying data that could be used to allow unauthorized access or an account takeover. [If No, start shredding or masking data – dumpster diving is a big ID theft threat.]

□ □ You have set up transaction and balance alerts on your debit cards or deposit accounts to warn you when transactions are completed or if the balance changes significantly. [If No, contact us to set up alerts as necessary to monitor activity.]

Answering “Yes” to all these questions will not guarantee that you will not be a victim of fraud, but it should lower your exposure to many of the common threats and risks in the marketplace.

EXPLANATION OF POTENTIAL LIABILITY

Companies are expected to employ reasonable security procedures when conducting financial transactions. CATO frauds typically target security lapses at the business, access device (PC, email, mobile phone) or user level. In most cases, the bank is not in a position to control or dictate what security policies or procedures are actually used by the business or customer when conduction their banking electronically. As mentioned before, if a loss occurs, the business/customer may be held liable for the portion of the loss that can be attributed to their failure to use reasonable care and security procedures as recommended by the bank. The amount of loss can be sizable and therefore requires that the business take appropriate measures to incorporate the security procedures that are recommended and available as long as they do not result in unreasonable demands on the business or user.

If a CATO loss does occur, the bank will work with our customers to seek the most appropriate resolution to the situation. If the bank fails to perform our fiduciary duties in accordance to industry standards, we generally will assume all or some of the liability. We will follow all applicable laws and regulations when dealing with a CATO incident.